Installation Overview

SD-AVC operates in a service/agent configuration. For details, see SD-AVC Architecture.

  • Network Service: The SD-AVC network service is installed as a virtualized component on a Cisco device service container, and operates on the device as a service. See: System Requirements: SD-AVC Network Service Host

  • Agent: Other devices in the network are enabled as agents, and communicate with the SD-AVC network service. See: Configuring Network Devices to Use SD-AVC

  • High Availability: SD-AVC supports a high availability (HA) configuration, using more than one SD-AVC network service. See: SD-AVC High Availability

  • Connectivity: Operating SD-AVC requires connectivity between the SD-AVC network service and the SD-AVC agents that operate on devices in the network. See: Configuring Connectivity

Summary of Setup

The following table briefly describes the steps to set up SD-AVC:

Table 1. Setup

Setup Task

Section

1

Download the open virtual appliance (OVA) file for the SD-AVC network service and install it on a host device accessible by other devices in the network.

See: Installing the SD-AVC Network Service

2

Enable the SD-AVC agent on Cisco devices in the network, pointing them to the SD-AVC network service set up in the previous step. (In a high availability setup, include more than one SD-AVC network service instance.)

See: Configuring Network Devices

3

Configure connectivity, or optionally, secure connectivity.

See: Configuring Connectivity, Configuring Secure Connectivity

System Requirements: SD-AVC Network Service Host

The following table describes platform requirements for hosting the SD-AVC network service.

Table 2. SD-AVC Network Service Host Requirements

Host

Memory

Storage

Recommended OS (extended maintenance release trains only)

CPU

Cisco ASR1001-X Aggregation Services Routers

M-ASR1001X-16GB

NIM-SSD

and

SSD-SATA-400G

Cisco IOS XE Amsterdam 17.3.1 or later

(See note 1.)

Cisco ASR1002-X Aggregation Services Router

M-ASR1002X-16GB

MASR1002X-HD-320G

Cisco IOS XE Amsterdam 17.3.1 or later

(See note 1.)

Cisco ASR1002-HX Aggregation Services Router

M-ASR1002HX-16GB

NIM-SSD

and

SSD-SATA-400G

Cisco IOS XE Amsterdam 17.3.1 or later

(See note 1.)

Cisco ISR4431 Integrated Services Router

RAM: MEM-4400-4GU16G

Flash: MEM-FLASH-16G

NIM-SSD

and

SSD-MSATA-400G

Cisco IOS XE Amsterdam 17.3.1 or later

(See note 1.)

Cisco ISR4451 Integrated Services Router

RAM: MEM-4400-4GU16G

Flash: MEM-FLASH-16G

NIM-SSD

and

SSD-MSATA-400G

Cisco IOS XE Amsterdam 17.3.1 or later

(See note 1.)

Cisco CSR1000V Cloud Services Router

Minimum: 8 GB

Recommended: 8 GB

20 GB

Cisco IOS XE Amsterdam 17.3.1 or later

(See notes 1, 2.)

Large-scale scenario (100 or more devices): 4 cores

Small-scale scenario (<100 devices): 1 core

See: Allocating VM CPUs for Cisco CSR1000V

Cisco DNA Center Traffic Telemetry Appliance (TTA)

Cisco IOS XE Amsterdam 17.3.1 or later


Note

  1. Minimum supported OS: Cisco IOS XE Everest 16.6.1 or later

  2. The Cisco CSR1000V Cloud Services Router requires the following license: AX, 2.5 Gbps or higher throughput. See the Cisco CSR1000V Data Sheet.

Configuring Connectivity

Operating SD-AVC requires connectivity between various components.

  • SD-AVC network service and host

  • SD-AVC network service and agents

  • Connectivity to the SD-AVC Dashboard

This section describes the connectivity requirements. If secure connectivity is required, see: Configuring Secure Connectivity

Connectivity between SD-AVC Network Service and Host

Connectivity is required between the SD-AVC network service, which operates as a virtualized service, and the device hosting it. The host platform requires connectivity with the service through a virtual interface called VirtualPortGroup. The virtual service communicates with the host over this virtual interface, using SSH on TCP port 22.

Connectivity between SD-AVC Network Service and Agents

Network devices operating with SD-AVC use an SD-AVC agent, which operates in the background on the device, to communicate with the central SD-AVC network service. Connectivity is required between each of these network devices and the SD-AVC network service (more than one network service in SD-AVC high availability configurations).

  • Ports

    Communication between agent and service uses the following protocols and ports:

    • UDP: Port 50000

    • TCP: Ports 21, 8080, 59990-60000

  • Firewalls and Access Lists

    Ensure that communication is possible from the SD-AVC agent to the SD-AVC network service on these ports for the relevant traffic. For example:

    • Firewall policy must enable communication from the SD-AVC agent to the SD-AVC network service.

    • If a network device has an access control list (ACL) configured, the ACL must permit communication from the SD-AVC agent to the SD-AVC network service.

Connectivity to the SD-AVC Dashboard

Connecting to the SD-AVC Dashboard (see Using SD-AVC) requires access to the device hosting the SD-AVC network service, and involves TCP traffic through port 8443. Ensure that network policy (firewall, ACL, and so on) permits this connectivity for devices requiring access to the SD-AVC Dashboard.

Using SD-AVC with Cisco IWAN

When operating SD-AVC in a Cisco IWAN environment, the SD-AVC network service may be hosted on the hub master controller (MC) or on a router dedicated for the purpose of hosting the service.

In either case, verify that the host device meets the system requirements for hosting the SD-AVC network service.

See: System Requirements: SD-AVC Network Service Host, Installing the SD-AVC Network Service

Installing the SD-AVC Network Service

The SD-AVC network service operates as a virtualized service on a Cisco router. It is installed as an open virtual appliance (OVA) virtual machine container, and requires a few steps of configuration on the host router. After configuration is complete, you can check service status using the browser-based SD-AVC Dashboard.

Table 3. Overview of Installation Steps

Task

Steps

System requirements

Step 1

Installation

Steps 2 to 7

Configuration, Activation

Step 8 to 12

Verification

Steps 13 to 14

Connecting to SD-AVC Dashboard

Step 15

Examples follow the steps below.

Installation Procedure

The following procedure installs the SD-AVC network service as a virtualized service on a Cisco router.

  1. Verify that the intended host device meets the system requirements. See: System Requirements: SD-AVC Network Service Host

  2. Download the OVA container for the SD-AVC network service from Cisco.com, using the Download Software tool. Specify a platform that supports hosting the SD-AVC virtual service, then navigate to software downloads for the platform. Select the "SD AVC Router Virtual Service" option to display available OVA files for SD-AVC.

    Example filename: iosxe-sd-avc.2.1.0.ova

  3. Copy the downloaded OVA file onto the device that will host the SD-AVC network service. Copy to one of the following locations, depending on the platform type:

    • For the CSR1000V router, use: bootflash

    • For ASR1000 Series or ISR4000 Series devices, use: harddisk

      harddisk refers to the SSD or HD specified in the system requirements for the platform (System Requirements: SD-AVC Network Service Host).

  4. On the device, verify that the MD5 checksum of the downloaded package matches the checksum value provided.


    Note

    The correct MD5 checksum value apears on the Download Software page when downloading the package.

    verify /md5 bootflash:ova-filename.ova

    Example: 

    Device#verify /md5 bootflash:iosxe-sd-avc.2.1.0.ova
......................................................................................Done!
verify /md5 (bootflash:iosxe-sd-avc.2.1.0.ova) = d8b7af1b163ccc5ad28582a3fd86c44e

  5. Ensure that the system time is set correctly on the host device.

    • (If using an NTP server) Verify that the platform is connected to the NTP server and that the system time is correct.

    • (If setting time manually) Set the system time correctly.


    Important

    If you change the system time after the SD-AVC service is already running, uninstall and re-install the SD-AVC service to ensure correct synchronization.

  6. If specific DNS servers are required, configure the server(s) on the host device.


    Important

    Adding DNS servers after SD-AVC is active restarts the SD-AVC network service. During restart, the following are interrupted:

    • Protocol Pack deployment to network devices

    • Vertical debug

  7. On the host device, execute the following command to extract the OVA package and install the SD-AVC network service. By default, it is installed on the same storage device where the OVA package was saved.

    service sd-avc install package disk-with-OVA : OVA-filename media location-for-OVA-expansion
    Table 4. Command Details

    CLI keyword/argument

    Description
    disk-with-OVA

    Specify one of the following, according to the platform type. The location refers to where the OVA was saved in a previous step.

    • CSR: bootflash

    • ASR1000 Series or ISR4000 Series: harddisk

    OVA-filename

    Downloaded OVA file.
    location-for-OVA-expansion

    Specify one of the following, according to the platform type:

    • For CSR1000V routers, use: bootflash

    • For ASR1000 Series or ISR4000 Series devices, use only: harddisk

      Important 

      On ASR1000 and ISR4000 platforms, do not use bootflash. The CLI may allow you incorrectly to choose bootflash, but but this causes the step to fail. On these platforms, specify only harddisk.

    Examples:

    • For CSR1000V router:

      service sd-avc install package bootflash:iosxe-sd-avc.2.1.0.ova media bootflash

    • For ASR1000 Series or ISR4000 Series routers:

      service sd-avc install package harddisk:iosxe-sd-avc.2.1.0.ova media harddisk

  8. Configure the SD-AVC network service.

    • Specify the router gateway interface that the virtualized service uses for external access.

    • Specify a user-selected external-facing service IP address for the SD-AVC network service. This address must be within the same subnet as the gateway interface address.

    This step accomplishes the following:

    • Enables routers in the network to communicate with the SD-AVC network service.

    • Enables access to the browser-based SD-AVC Dashboard.


    Note

    Use this command only in scenarios in which the gateway interface is not attached to a VRF. If the gateway interface is attached to a VRF, use the steps described in Operating the SD-AVC Network Service with Host Interface Attached to a VRF.

    service sd-avc configure gateway interface interface service-ip service-ip-address [activate | preview]
    Table 5. Command Details

    CLI keyword/argument

    Description
    activate

    Activates the service immediately. It is not typically recommended to use this option during this configuration step. Execute the activate option in a separate step, as shown below.

    preview

    Preview the configuration without configuring or activating the service. When using this option, the configuration is not sent to the device.

    Note: If the gateway interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF.

    Example output: 

    ! Virtual port configuration
interface VirtualPortGroup31
  description automatically created for sd-avc service by 'service sd-avc configure' exec command
  ip unnumbered gigabitEthernet1
end

! Virtual service configuration
virtual-service SDAVC
  description automatically created for sd-avc service by 'service sd-avc configure' exec command
  vnic gateway VirtualPortGroup31
    guest ip address 10.56.196.101
  exit
end

! Static route configuration
ip route  10.56.196.101 255.255.255.255 VirtualPortGroup31
    interface

    Gateway interface: The device interface that the virtualized service uses for external access.

    Note: If the interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF for instructions for configuring the gateway.

    service-ip-address

    External-facing IP address, must be in the same subnet as the IP of the gateway interface.

    Example:

    Gateway interface: 10.56.196.100

    service-ip-address: 10.56.196.101

    Example: 

    service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146

  9. Activate the service.

    service sd-avc activate

    Example: 

    service sd-avc activate

  10. Verify that the status of the SD-AVC network service is activated.

    service sd-avc status

    If installation and activation were successful, the displayed status is:

    SDAVC service is installed, configured and activated

  11. (ASR1000 Series or ISR4000 Series routers only, not CSR1000 Series) Execute the following:

    (config)#platform punt-policer service-engine 100000 100000

  12. Save the new configuration.

    copy running-config startup-config

  13. Ping the service IP configured in a previous step to verify that it is reachable.

  14. Verify that SSH is enabled on the host device. Details vary according to different scenarios, but the following is a helpful reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

    Example (uses SSH local authentication): 

    aaa new-model
!
aaa authentication login default local
username cisco privilege 15 password cisco
ip domain name cisco.com
crypto key generate rsa

  15. Wait several minutes for the service to become fully active, then use a Chrome browser to access the browser-based SD-AVC Dashboard, at the following URL, which uses the service-ip configured in an earlier step and port 8443. The SD-AVC Dashboard uses the same authentication as the platform hosting the SD-AVC network service.

    https://<service-ip>:8443


    Note

    Accessing the SD-AVC Dashboard requires connectivity from the PC you are using to access the SD-AVC interface.

Installation Example for CSR1000V Router

The following is an example of the CLI steps used to install the SD-AVC Network Service on a Cisco CSR1000V Cloud Services Router. For this router, the first step includes “bootflash” as the location for extracting the OVA. 

service sd-avc install package harddisk:iosxe-sd-avc.2.1.0.ova media bootflash
service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146
service sd-avc activate
service sd-avc status
copy running-config startup-config

Installation Example for ASR1000 Series or ISR4000 Series Routers

The following is an example of the CLI steps used to install the SD-AVC network service on a Cisco ASR1000 Series or ISR4000 Series Router. For these routers, the first step includes “harddisk” as the location for extracting the OVA. 

service sd-avc install package harddisk:iosxe-sd-avc.2.1.0.ova media harddisk
service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146
service sd-avc activate
service sd-avc status
platform punt-policer service-engine 100000 100000
copy running-config startup-config

Upgrading the SD-AVC Network Service

Use the following procedure to upgrade the SD-AVC network service on the router hosting the service.


Note

Upgrading clears the traffic data stored by the SD-AVC network service.

Table 6. Overview of Upgrade Steps

Task

Steps

Installation

Steps 1 to 7

Activation

Step 8

Verification

Step 9

  1. Download the OVA container for the SD-AVC network service from Cisco.com, using the Software Download tool. Specify a platform that supports hosting the SD-AVC virtual service, then navigate to software downloads for the platform. Select the "SD AVC Router Virtual Service" option to display available OVA files for SD-AVC.

    Example filename: iosxe-sd-avc.2.1.0.ova

  2. Copy the downloaded OVA file onto the device hosting the SD-AVC network service to be upgraded. Copy to one of the following locations, depending on the platform type:

  3. On the device, verify the MD5 checksum of the downloaded package. The correct MD5 checksum value apears on the Download Software page when downloading the package.

    verify /md5 bootflash:ova-filename.ova

    Example: 

    Device#verify /md5 bootflash:iosxe-sd-avc.2.1.0.ova
......................................................................................Done!
verify /md5 (bootflash:iosxe-sd-avc.2.1.0.ova) = d8b7af1b163ccc5ad28582a3fd86c44e

  4. Deactivate the service. This step stops the service but does not erase the database of compiled application data.

    service sd-avc deactivate

  5. Verify that the service has been deactivated.

    service sd-avc status

    The following output confirms that the service has been deactivated:

    Service SDAVC is installed, configured and deactivated

  6. On the host router, execute the following command to extract and install the OVA package. By default, it is installed on the same storage device where the OVA package is stored.

    service sd-avc upgrade package disk-with-OVA : OVA-filename
    Table 7. Command Details

    CLI keyword/argument

    Description
    disk-with-OVA

    Specify one of the following, according to the platform type. The location refers to where the OVA was stored in a previous step.

    • CSR: bootflash

    • ASR1000 Series or ISR4000 Series: harddisk

    OVA-filename

    Downloaded OVA file.

    Examples:

    • For Cisco CSR1000V router:

      service sd-avc upgrade package bootflash:iosxe-sd-avc.2.1.0.ova

    • For Cisco ASR1000 Series or ISR4000 Series routers:

      service sd-avc upgrade package harddisk:iosxe-sd-avc.2.1.0.ova

  7. (Optional) During the upgrade process, view the service status.

    service sd-avc status

    During the upgrade, the following output indicates that the service is being installed:

    Service SDAVC is installing..., configured and deactivated

    The following output indicates that the upgrade is complete:

    Service SDAVC is installed, configured and deactivated

  8. Activate the service.

    service sd-avc activate

    Example: 

    service sd-avc activate

  9. Verify that the status of the SD-AVC network service is activated.

    service sd-avc status

    If upgrade and activation were successful, the displayed status is:

    SDAVC service is installed, configured and activated